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We demonstrate theoretically and experimentally that secure communication using intermediate- 
energy (mesoscopic) coherent states is possible. Our scheme is different from previous quantum 
cryptographic schemes in that a short secret key is explicitly used and in which quantum noise hides 
both the bit and the key. This encryption scheme can be optically amplified. New avenues are open 
to secure communications at high speeds in fiber-optic or free-space channels. 
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For the encryption of data with perfect secrecy Q that 
cannot be broken with any advance in technology, one 
may in principle employ one-time pad with secret key 
obtained by the BB84 [2| quantum cryptographic tech- 
nique for key expansion. Such an approach is possible , 
however, it is slow and inefficient because the key length 
needs to be as long as the data, and it also requires a 
nearly ideal quantum communication line that is diffi- 
cult to obtain in long distance commercial systems such 
as the Internet core. On the other hand, for both military 
and commercial applications, there arc great demands for 
secret communications that are fast and secure but not 
necessarily perfectly secure. (There are many practical 
issues, human as well machine based, that would make 
theoretical perfect security in specific models not so im- 
portant in real life Q). In the following, a new scheme 
based on ideas similar to those of Ref. [5j is described for 
secure data encryption that can be operated at optical 
speeds with conventional optical technology, and a pro- 
totype experimental implementation is presented. In this 
scheme, a short secret key is classically extended and then 
used to encrypt data in a way that the quantum noise of 
the coherent states protects both the data and the key. 

The following line of reasoning describes the ideas 
that led to the development of our present kind of quan- 
tum cryptographic schemes. One crucial element for ob- 
taining security in BB84 involves the detection of small 
intrusion on weak signals, which is difficult to achieve in 
a network environment. This problem would be allevi- 
ated if quantum signal sets of higher energy are selected 
for different bit values by a secret key shared between 
the sender (Alice) and the receiver (Bob). It is impor- 
tant to remember that some shared secret key is needed 
in BB84 for message authentication during protocol exe- 
cution. The resulting scheme is acceptable as key expan- 
sion if the new key is secure even if the shared secret key 
is known to the attacker after the user communications 
are completed. When a secret key is used to identify 
the signal set, it would be a secret CDMA (Code Divi- 
sion Multiple Access) scheme classically, which does not 
allow key expansion because the user and the attacker 
have the same observation. We would discuss elsewhere 
how a corresponding KCQ (Keyed CDMA in Quantum 
Noise) scheme can be used to obtain key expansion in the 



quantum case. In this paper, we are concerned with the 
use of KCQ for data encryption. 

There are two basic problems with classical encryp- 
tion that does not employ the inefficient one-time pads. 
One is that the total data uncertainty i?(X) given ob- 
servation Y is bounded above by the key uncertainty, 
H(X.) < H{K) Q. The other is that the key K may 
be found by a known-plaintext attack when the eaves- 
dropper (Eve) knows the output-input pairs (Y, X) for 
some data length. In our scheme, i?(X) is not bounded 
by i?(K) because Eve cannot have the observation Y 
that Bob obtained via the optimal quantum measurement 
utilizing the key K. To extract information from even 
a full copy of the quantum signal without knowing K, 
Eve has to make a sub-optimal measurement that would 
yield information on all possible signal sets for the pur- 
pose of either estimating X or finding K from a known- 
plaintext attack. As a result. Bob has a better chan- 
nel/observation than Eve. Also, in contrast to classical 
cryptography, one can prove the security of our scheme 
against ciphertext-only attacks, although only individual 
attacks are described in this paper. One can show that, in 
a properly designed system, even an exponentially pow- 
erful search with known-plaintext attacks cannot succeed 
because Eve does not have Y as above. Practically, our 
scheme can run at high speeds because there is no need 
for a long key K. 

Consider the following scheme in which each data bit is 
encoded into a coherent state of an infinite-dimensional 
space, referred to as a "qumode". As in [3, there are M 
possible states 



|ao(cos6'/ + i sin6'/)), 6*; = 27rZ/M 



(1) 



for a real ao and I G {0, • • • , M — 1}, forming M/2 pairs 
{I, I + M/2}. A seed key K is used to drive an encryp- 
tion mechanism whose output is a much longer running 
key K' that is used to determine, for each qumode carry- 
ing bit b (= 0, 1); which pair of signals (signal set) is to 
be used. Each pair may be macroscopically distinguish- 
able since the inner product of any two basis states is 
exp(— 2|aoP)- For large M, a lower bound on the ob- 
tained mean-square error {66)'^ that goes as l/|aoP 
shows that asymptotically when M ^ |ao| the attacker's 
error probability tends to 1/2, the guessing level, in 
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FIG. 1: Pf as a function of M for \a\^ = 1, 10, 100, 1000. 



an individual attack on the data bit b. That this result 
holds in the limit M — > cc for fixed |ao| is intuitively 
obvious. A two- mode coherent-state realization similar 
to Eq. (P), with jao cos 6'/)|ao sin 6*/), can also be used 
and the modes can be interpreted as ones of polariza- 
tion, time, frequency, or whatever. 

Numerical calculation of the optimal POVM for indi- 
vidual attack on bit discrimination for the M-ry case has 
shown that the minimum probability of error for 
an eavesdropper can be made arbitrarily close to 1/2 for a 
given coherent-state amplitude a. The value Pf ^1/2 
for a fixed average number of photons jap is achieved 
by increasing the number of levels M. As shown in Fig- 
ure ^ Pf goes very fast to the asymptotic pure-guessing 
limit of 1/2 as M increases. The above POVM calcu- 
lation demonstrates that in this scheme an eavesdrop- 
per cannot obtain the bits sent regardless of the preci- 
sion of her devices. The optimal POVM gives the max- 
imum amount of information she could obtain from the 
sequence of physical signals sent without knowing the 
key. This uncertainty is due to the quantum noise of 
light and cannot be overcome with one's precision capa- 
bilities. Bob, on the other hand, by knowing the key 
can extract information with greater precision. His deci- 
sion has to be made only between two nearly orthogonal 
states in the same basis defined by a given K'. His prob- 
abihty of error is ^ Pf = ^ (l - Vl - e^^Tlap^ ^ .^^j^ere 
T is the transmissivity of the channel. For large values 
of \a\ the minimum probability of error P^ is negligible, 
which makes possible an excellent signal recovery by the 
legitimate receiver. The case of collective attacks is more 
complicated and cannot be discussed here, in large part 
because there is no meaningful approach for evaluating 
the optimal bit error, even in the classical case. However, 
the entropy bound (Holevo's theorem) could be used to 
show the ideal nature of this scheme for the criterion of 
data entropy. 

The attacker can also try to find the key K based 
on her copy of the quantum signals, with or without 
some known-plaintext (data) corresponding to the sig- 
nals. Even in a known-plaintext attack, the signal quan- 
tum fluctuation would yield, from the number of possibil- 
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FIG. 2: Left side: Basic ciphering scheme with qumodes of 
polarization. Right side: Two neighboring bases in an M- 
ry manifold on a great circle of Poincare's sphere. Bits 
and 1 are antipodals for each basis. Closest states (similar 
polarization ellipses) represent opposite bit values. 



ities in each qumode, an exponential number of possible 
K' in a sequence of data bits. To identify K from such 
noisy observations of possible K' would involve an expo- 
nential search, which can always be launched against a 
key in known-plaintext attacks but which is currently be- 
lieved to be proven impossible computationally even with 
a quantum computer. Note that the attacker has a much 
more difficult job of estimating the signal pair from M /2 
possible ones, than the user who tries to discriminate 2 
possible known states. A detailed quantitative treatment 
would be given elsewhere. It is important to note that, in 
the case of classical cryptography, if the running key K' 
is used directly as one-time pad on the data, the result 
is well known [lO|| to be insecure against known-plaintext 
attacks. In our case, this attack is thwarted by quantum 
effects as explained above. 

Consider an implementation of the above scheme as de- 
picted in Fig. [3 This particular type of KCQ scheme will 
be refered to as arj (for coherent states and efficiency). In 
the encryption scheme for this new protocol, sketched on 
the left side in Fig. |21 Alice uses an explicit short secret 
key K, extended to a longer key K' by another encryp- 
tion mechanism such as a stream cipher, to modulate the 
parameters of a multimodc coherent state. For the free- 
space implementation to be presented, the qumodes are 
the two orthogonal modes of polarization. In this case, 
Alice uses the running key K' to specify a polarization 
basis from a set of A//2 uniformly spaced two- mode bases 
spanning a great circle on the Poincare sphere, as shown 
on the right in Fig. [5] Each basis consists of a polariza- 
tion state and its antipodal state at an angle tt from it, 
representing the and 1 bit value for that basis. 

The message X is encoded as Y(X, K'). This mapping 
of the stream of bits onto points on the surface of the 
Poincare sphere is the information to be shared by Alice 
(A) and Bob (B). Because of his knowledge of K', Bob is 
able to make a precise demodulation operation, produc- 
ing the plaintext X. He uses K' to apply the requisite 
polarization transformation to the received sequence of 
polarization states to return them to the linearly orthog- 



FIG. 3: Schematic of the experimental setup. SPCM, single 
photon counting module; PBS, polarization beamsplitter; L, 
lens; P, polarizer; NDF, neutral density filter. Two (optional) 
telescopes are shown for field work. 



onally polarized condition, representing the two original 
bits of the message X. Bob's demodulation is the inverse 
mapping transformation that was utilized by Alice. 

Figure |2| shows a table-top experimental setup we 
have implemented as a proof-of-principlc demonstra- 
tion of this scheme. The modulation systems utilized 
both at the transmitter and receiver ends are electro- 
optic modulators (EOMs)(New Focus, model 4104), the 
laser (Toshiba, model TOLD9225M) operates at 670nm, 
and the detectors are single photon counting modules 
(Perkin-Elmer, model SPCM-AQR-16) with interference 
filters of lOnm bandwidth in front. A polarization beam 
splitter (PBS) is used at the receiver to discriminate be- 
tween the orthogonal linear polarization states. Lenses 
(L) arc used to optimize the beam Raylcigh range within 
the EOMs. A personal computer containing an interface 
card (National Instruments, model PCI-6111E) is used 
to control the EOM's (digital-to-analog operation). The 
same card is also used for counting the output pulses 
from the detectors. In this configuration, a horizontally 
(H) or vertically (V) polarized light pulse representing 
bit or 1 is generated and transformed into an ellipti- 
cally polarized light state by application of the voltage 
Vk {k G K'). This voltage introduces a phase differ- 
ence Ac/)fc between the physical axes of the EOM, where 
A0/c = f ^ + 0Oi and K- and 4>o are specific to each 
modulator. This system operates, with bulk optics, at 
200kHz rate for demonstration purposes and faster fiber 
based systems (^IGHz) are being implemented for free 
space as well as fiber channels. 

Figure 21 shows a sequence of bits as received by Bob. 
The clear separation of the and 1 histograms allow him 
to make bit decisions with no error. The same sequence 
of bits as seen by Eve are shown in Fig. [3 giving her a 
very high probability of error {P^ - 1/2) in bit decisions 
because of her lacking the key. 

As an illustration of how the quantum noise of light 
can be utilized by the legitimate receiver on his behalf, 
in Fig. Elwe show the uncertainty in the polarization an- 



FIG. 4: Difference of V and H counts (V-H) from Bob's 
receiver operating at 200kHz, with the average number of re- 
ceived photons (n) — \a'^ =27 and M = 50. The right inset 
shows the corresponding histogram indicating clear separa- 
tion between the and 1 bit values. 
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FIG. 5: V— H counts from Eve's receiver in an opaque attack 
in which she takes all the power from the channel that would 
have gone to Bob. AH operating parameters are the same as 
in Fig. |4| except for Eve lacking the key K'. The correspond- 
ing histogram on the right shows that distinct bits are not 
distinguishable by her. 

glc produced by a two-mode measurement for an average 
total photon number {n) ~ 38. Regions of low- variance 
values are seen around and 7r/2 settings of the input 
polarization state [cf. Fig. Efc)]. Such determination of 
the polarization angle with angle-dependent uncertainty 
shows that a higher degree of precision in angle determi- 
nation can be achieved by an observer with a prior infor- 
mation on how to set the measuring apparatus than an- 
other who does not have this knowledge. From Fig. EJc) 
one can observe that for PBS-axis orientations close to 
the incoming field polarization direction the uncertainty 
in determination of the angle is small. The polarization 
angle is obtained by averaging arctan \Jnv jnu over the 
occurrence of uh and ny, the photon numbers reaching 
the detectors [cf. Fig. El^b)]. The approximation that Q 
can be obtained through arctan yjnv /nn is adequate for 
mesoscopic signals but becomes inadequate as (n) 
(quantum phase domain). Setting PBS without knowl- 
edge of this preferred orientation leads, in average, to a 
larger error in determination of the polarization angle. 
On the other hand, an observer setting his analyzer sys- 
tem close to the field polarization direction (0 or 7r/2) is 
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FIG. 6: (a) Measurement of the polarization angle through 
two- mode direct detection with use of a PBS. A A/2 waveplate 
is rotated to produce different polarization angles (j>. (b) Un- 
certainties in 0, A<j}, arise owing to photon-number fluctua- 
tions around (uh) and (nv), where uh and ny are the photon 
numbers sampled by the two detectors ((jiHriv) = {nH){nv))- 
(c) Variance in the angle (j) obtained via the two-mode mea- 
surement versus the angle set by the A/2 plate. Solid line is 
the theoretical prediction, not a fit, without considering the 
detector noises (mainly "dark" and Johnson noises), which 
will set the ultimate precision limit in these measurements. 
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(selected from M = 200 possible positions with — 6, 
and correctly recovered by Bob with the use of the 
key) while the second number is the basis extracted 
by Eve through a single measurement of nn and ny- 
S = {110, 117}, {84, 78}, {108, 99}, {90, 91}, {100, 107}, 
{102, 97}, {84, 84}, {110, 105}, {110, 111}, {114, 105}, {82, 86}, 
{100, 95}, {92, 72}, {108, 108}, {102, 90}, {108, 97}, {96, 93}, 
{110, 103}, {112, 121}, {86, 86}, {102, 100}, {88, 91}, {102, 94}, 
{106, 98}, {118, 135}. Clearly, Eve makes a large number 
of errors in determining the transmitted bases. 

In conclusion, we have demonstrated that under indi- 
vidual attacks Yuen's encryption protocol is secure with 
an adequate number of bases M and without the need for 
intrusion detection. Key expansion is also possible un- 
der this scheme, due to the better observation available to 
Bob with knowledge of the key. Significantly, the encryp- 
tion system allows for signal amplification as long as the 
security is guaranteed at the source for the following rea- 
son. While Eve has to resolve AI levels to tell the bit or 
K' without knowing the key. Bob has to resolve only two 
levels with the key. Thus, amplifier noise would hinder 
Eve's attack while it will not disrupt Bob's decryption. 
Furthermore, there is no need to decrypt/re-encrypt at 
the nodes of a properly designed communication line with 
a moderate number of amplifiers. 



FIG. 7: Number of bases covered by the quantum noise 
as a function of the number of photons (n) — \af ■ For a 
given (n), Alice repeatedly sets every basis, separated by tt/M 
(M = 500), one by one, by applying a voltage to the EOM. 
By measuring uh and nv , Eve performs an angle reconstruc- 
tion in an attempt to identify the basis used. Eve's standard 
deviation around the basis sent by Alice gives No-. Line is the 
theory. 



only limited by the optical precision of the analyzer used 
(which can be made arbitrarily small), and the noise in 
the detectors. 

The cryptography system should be designed so that 
the uncertainties caused by the quantum noise of light in 
the measurement of the polarization angles is large. It 
can be shown that the number of bases within a stan- 
dard deviation of the measured angle is No- = A//(7r|a|). 
Fig. [3 shows experimental results that confirm this de- 
pendence. 

The effect of noise on signal recovery by an eavesdrop- 
per in an opaque attack can be simulated by sending 
repeatedly the same bit, but varying K', from A to 
B when B (playing Eve) docs not apply the key to 
demodulate the signals. In the following sequence 5, 
the first number in a brace is the basis set by Alice 
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